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AMENDMENTS TO THE CLAIMS : 

This listing of claims will replace all prior versions, 
and listings, of claims in the application: 

LISTING OF CLAIMS : 

1-9. (canceled) 

10. (currently amended) A network attack detection 
system, comprising processors programmed to perform the steps of: 

examining a header of a packet in transmission; 

observing values of one or more pre-specif ied fields in 
the packet header; and 

in a case where a number of distinct values observed in 
the pre-specif ied fields reaches a pre-specif ied threshold 
suggesting a pre-specif ied ratio within a pre-specif ied time 
interval, judging that an unauthorized attack is in 
progress [[,]]j_ 

wherein the judging is carried out based on one of the 
following conditions where N(t) is the number of distinct values 
of the field observed within a pre-specif ied time interval from 
time t, N(ti) is the number of distinct values of the field 
observed within the pre-specif ied time interval from some time 
ti, P(t) is the number of packets in transmission within the pre- 
specif ied time interval from time t, P(ti) is the number of 
packets in transmission within the pre-specif ied time interval 
from some time ti, and T(t) is the number of octets or bits in 
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the packets in transmission within the pre-specif ied time 
interval from some time t, then start listing the alternative 
conditions : 

(a) N (t) — is the number of distinct values of the field 
observed within a pro specified time interval from time t, — N-f*-±-f 
is the number of distinct values of the field observed within the 
pre specified time interval from some time t ± and if the ratio of 
N(t) to N(ti) is greater than or equal to a first pre-specif ied 
threshold ki, that is, if N(t)/ N(ti) ^ ki, the system will judge 
that an attack is in progress; 

(b) P (t) — ±e — fefee — number — &f- — packets — i« — transmission 
within the pro opacified time interval from time — fc-? — a-ftd: if the 
ratio of the number of N(t) to P(t) is greater than or equal to a 
second pre-specif ied threshold k 2 , that is, N(t)/P(t) ^ k 2 , the 
system will judge that an attack is in progress; 

( c ) P-f-t-t-) — ±-s — fe-he — number — e£ — packets — i« — transmission 
within the pre — specified time — interval — from some time t± j — aftd if 
the ratio of the coefficient computed in — (-£>-) — above for the time t 
to — tfea-fe — computed — f-er — fefee — time — feiy- {N(t)/P(t)} [ [/] ] to 
{N (ti) /P (ti) } , is greater than or equal to a third pre-specif ied 
threshold k 3 , that is, {N(t)/P(t)} / {N ( ti) /P ( ti) } > k 3 , the 
system will judge that an attack is under progress; or 

(d) T (t) — is the number of octets or bits in the packets 
in transmission within the pre — specified time — interval from some 
time t, — aftd if the ratio N(t) to T(t) is greater than or equal to 
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a fourth pre-specif ied threshold k 4 , that is, N(t)/T(t) ^ k 4 , the 
system will judge that an attack is in progress. 

11. (currently amended) The network attack detection 
system according to claim 10, wherein arbitrary combinations of 
two or more header fields arc allowed, — and the number of distinct 
values — observed — for — the — resultant — composite — field — ±-s — used — to 
compute the coefficient which io — compared against the threshold 
the processors are further programmed to perform the further step 
of: 

in a case where numbers of distinct values observed in 
the pre-specif ied fields, comprising arbitrary combinations of 
two or more header fields, reach a pre-specif ied threshold within 
a pre-specif ied time interval, judging that an unauthorized 
attack is in progress, 

wherein the judging is carried out based on one of the 
above conditions (a) -(d). 

12. (currently amended) The network attach attack 
detection system according to claim 10, wherein the processors 
are further programmed to perform the further step of: 

in a case where aR — illegal — attack — is — inferred — to — be- 
underway when the Time To Live (TTL) value in the header field of 
[ [a] ] the packet does not lie in the range of the values seen 
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beforehand for the source address in the header field of packets 
the packet, judging that an unauthorized attack is in progress . 

13. (currently amended) [[A]] The network attack 
detection system according to claim 10 , wherein the processors 
are further programmed to perform the step of: 

it is — judged that an illegal attack has taken place by 
observing the values — ef- — the packet — header — fields, — and when the 
number of distinct values — seen — in a combination of two or more 
header — fields — exceeds — a pre — specified threshold value within a 
pre specified time, — it is — judged that an attack is in progress in 
a case where numbers of distinct values observed in the pre- 
specified fields comprising of arbitrary combinations of two or 
more header fields are greater than, or equal to, one's pre- 
specified threshold value within a pre-specif ied time interval, 
judging that an unauthorized attack is in progress. 

14. (currently amended) The network attack detection 
system according to claim 13, wherein the processors are further 
programmed to perform the step of: 

in a case where the judgment is made that an attack is 
in progress, — if- the Time to Live (TTL) value in the header field 
of the packet does not lie in the range of the values seen 
beforehand for the source address in the header field of the 
packet, judging that an unauthorized attack is in progress. 
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15. (currently amended) 34*e A network attack tracking 
system according to claim 10 , comprising: 

two or more of the network attack detection systems as 
claimed as claim 10, 

wherein a source of the unauthorized attack is searched 
by deploying these systems said two or more of the network attack 
detection systems at various places on the Internet. 

16. (currently amended) Tfee A network attack tracking 
system according to claim 11 , comprising : 

two or more of the network attack detection systems as 
claimed as claim 11, 

wherein a source of the unauthorized attack is searched 
by deploying these systems said two or more of the network attack 
detection systems at various places on the Internet . 

17. (currently amended) Tfee A network attack tracking 
system according to claim 12 , comprising: 

two or more of the network attack detection systems as 
claimed as claim 12, 

wherein a source of the unauthorized attack is searched 
by deploying these systems said two or more of the network attack 
detection systems at various places on the Internet . 
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18. (currently amended) Tfee A network attack tracking 
system according to claim 13 , comprising : 

two or more of the network attack detection systems as 
claimed as claim 13, 

wherein a source of the unauthorized attack is searched 
by deploying these systems said two or more of the network attack 
detection systems at various places on the Internet. 

19. (currently amended) A network attack tracking 
system according to claim 1 4, comprising : 

two or more of the network attack detection systems as 
claimed as claim 14, 

wherein the source of the unauthorized attack is 
searched by deploying thooc — oyotcmo said two or more of the 
network attack detection systems at various places on the 
Internet . 

20. (currently amended) A method for detecting a 
network attack, comprising the steps of: 

examining a pre specified field in a header of a packet 
in transmission for distinct values ; aftd 

observing values of one or more pre-specif ied fields in 
the packet header; and 

determining that an unauthorized attack io in progress 
based on an observed number — of distinct values — in the — examined 



7 



Docket No. 8075-1100 
Appln. No. 10/588,188 

pro specified — header — field — reaching — a — pre specified — threshold 
within a pre specified time interval, — wherein, in a case where a 
number of distinct values observed in the pre-specif ied field 
reaches a pre-specif ied threshold suggesting a pre-specif ied 
ratio within a pre-specif ied time interval, judging that an 
unauthorized attack is in progress; 

the — determination — includes — that — at — least — e«e — ef — fche 
following conditions is — satisfied 

wherein the judging is carried out based on one of the 
following conditions where N(t) is the number of distinct values 
of the field observed within a pre-specif ied time interval from 
time t, N(ti) is the number of distinct values of the field 
observed within the pre-specif ied time interval from some time 
ti, P(t) is the number of packets in transmission within the pre- 
specif ied time interval from time t, P(ti) is the number of 
packets in transmission within the pre-specif ied time interval 
from some time t i , and T(t) is the number of octets or bits in 
the packets in transmission within the pre-specif ied time 
interval from some time t , then start listing the alternative 
conditions : 

(a) N (t) — is the number of the distinct values of the 
field observed within the pre — specified time — interval — from some 
time — 17 — N-ffei.-) — ±s — fefee — number — ef- — distinct — values — of — trhe — field 
observed within the pre — specified time interval from some time t^ 
■aftd if the ratio of N(t) to N(ti) is greater than or equal to a 
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first pre-specif ied threshold ki, that is N(t)/N(ti) ^ k lr it will 
be judged that an attack is in progress [[,]] j_ 

(b) P (t) — is — the — number — &f — packets — in — transmission 
within the pre — specified time interval from some time t, — and if 
the ratio of N(t) to P(t) is greater than or egual to a second 
pre-specif ied threshold k 2 , that is, N(t)/P(t) ^ k 2 , it will be 
judged that an attack is in progress [[,]] j_ 

( c ) P-f^-t-) — is — the — number — ef- — packets — in — transmission 
within the pre — specified time interval from the time t ^ 7 — and if 
the ratio of the coefficient computed in — fb-) — above for the time t 

te — feha-fe computed — #e*= the time feiy {N(t)/P(t)} [[/]] to 

{N (ti) /P (ti) } [ [ , ] ] is greater than or equal to a third 
pre-specif ied threshold k :; , that is, 

{N(t)/P(t)} / {N (ti) /P (ti) } > k 3 , it will be judged that an 
attack is in progress [[,]] ]_ and or 

(d) T (t) — is the number of octets or bits in the packets 
in transmission within the pre — specified time — interval from some 
time t, — and if the ratio N(t) to T(t) is greater than or equal to 
a fourth pre-specif ied threshold k 4 , that is, N(t)/T(t) ^ k 4 , it 
will be judged that an attack is in progress. 

21. (currently amended) The method ef- according to 
claim 20, wherein, further comprising the step of: 
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said — oxamining — stop — examines — a — resultant — composite 
field comprising arbitrary combinations of two or more of header 
fields, — aftd 

the — number ef- — distinct — values observed — f-e* fc-he 

rcsultant — composite — field — is — used — fee- — compute — fche — coefficient 
which is compared against the threshold 

in a case where numbers of distinct values observed in 
the pre-specif ied fields, comprising of arbitrary combinations of 
two or more header fields, reach a pre-specif ied threshold within 
a pre-specif ied time interval, judging that an unauthorized 
attack is in progress, 

wherein the judging is carried out based on one of the 
above conditions (a) -(d) . 

22. (currently amended) The method e# according to 
claim 20, comprising the further stops step of: 

in a case where from an examined packet, — inferring that 
the — unauthorized attack — i-s — underway when a Time To Live (TTL) 
value in the pre specified header field of the examined packet is- 
outsidc a does not lie in the range of the values seen beforehand 
for the source address in the header field of the examined 
packet, and — after — determining — that — fe-he — source — addrcs s — ±¥t — fc-he 
header — of- — fefee — examined — packet — i-s — legitimate, — detecting — tfee 
unauthorized attack — based on — whether — fc-he — TTL value — is — within — a 
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pro specified — range — ef — fefee — expected — T-T-L — value — f-er- — fefee — source 
address judging that an unauthorized attack is in progress . 

23. (canceled) 

24. (previously presented) [[A]] The method f-e*- 
detecting — a — network — attack according to claim 20 , further 
comprising the step of: 

observing — values — ef- — packet — header — fields — a-ftd — upon 
observing that a number of distinct values seen in a combination 
of — two or more — header — fields — exceeds — a pre — specified threshold 
value within a pro — specified time, — judging that an unauthorized 
attack id in progress 

in a case where numbers of distinct values observed in 
the pre-specif ied fields comprising of arbitrary combinations of 
two or more header fields are greater than, or equal to, one's 
pre-specif ied threshold value within a pre-specif ied time 
interval, judging that an unauthorized attack is in progress . 

25. (currently amended) The method ef- according to 
claim 24, further comprising the step of: 

in a case where wherein a the Time To Live (TTL) value 
in the packet header field of the packet ±-s — observed, — aftd — fc-he 
unauthorized attack in progress io — judged upon the observed TTL 
value — being — outside — a does not lie in the range of the values 
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seen beforehand for the source address in the packet header field 
of the packet, judging that an unauthorized attack is in 
progress . 

26. (canceled) 



12 



